1157016SdesHow to use OpenSSH-based virtual private networks 2157016Sdes------------------------------------------------- 3157016Sdes 4157016SdesOpenSSH contains support for VPN tunneling using the tun(4) network 5157016Sdestunnel pseudo-device which is available on most platforms, either for 6157016Sdeslayer 2 or 3 traffic. 7157016Sdes 8157016SdesThe following brief instructions on how to use this feature use 9157016Sdesa network configuration specific to the OpenBSD operating system. 10157016Sdes 11157016Sdes(1) Server: Enable support for SSH tunneling 12157016Sdes 13157016SdesTo enable the ssh server to accept tunnel requests from the client, you 14157016Sdeshave to add the following option to the ssh server configuration file 15157016Sdes(/etc/ssh/sshd_config): 16157016Sdes 17157016Sdes PermitTunnel yes 18157016Sdes 19157016SdesRestart the server or send the hangup signal (SIGHUP) to let the server 20157016Sdesreread it's configuration. 21157016Sdes 22157016Sdes(2) Server: Restrict client access and assign the tunnel 23157016Sdes 24157016SdesThe OpenSSH server simply uses the file /root/.ssh/authorized_keys to 25157016Sdesrestrict the client to connect to a specified tunnel and to 26157016Sdesautomatically start the related interface configuration command. These 27157016Sdessettings are optional but recommended: 28157016Sdes 29157016Sdes tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org 30157016Sdes 31157016Sdes(3) Client: Configure the local network tunnel interface 32157016Sdes 33157016SdesUse the hostname.if(5) interface-specific configuration file to set up 34157016Sdesthe network tunnel configuration with OpenBSD. For example, use the 35157016Sdesfollowing configuration in /etc/hostname.tun0 to set up the layer 3 36157016Sdestunnel on the client: 37157016Sdes 38157016Sdes inet 192.168.5.1 255.255.255.252 192.168.5.2 39157016Sdes 40157016SdesOpenBSD also supports layer 2 tunneling over the tun device by adding 41157016Sdesthe link0 flag: 42157016Sdes 43157016Sdes inet 192.168.1.78 255.255.255.0 192.168.1.255 link0 44157016Sdes 45157016SdesLayer 2 tunnels can be used in combination with an Ethernet bridge(4) 46157016Sdesinterface, like the following example for /etc/bridgename.bridge0: 47157016Sdes 48157016Sdes add tun0 49157016Sdes add sis0 50157016Sdes up 51157016Sdes 52157016Sdes(4) Client: Configure the OpenSSH client 53157016Sdes 54157016SdesTo establish tunnel forwarding for connections to a specified 55157016Sdesremote host by default, use the following ssh client configuration for 56157016Sdesthe privileged user (in /root/.ssh/config): 57157016Sdes 58157016Sdes Host sshgateway 59157016Sdes Tunnel yes 60157016Sdes TunnelDevice 0:any 61157016Sdes PermitLocalCommand yes 62157016Sdes LocalCommand sh /etc/netstart tun0 63157016Sdes 64157016SdesA more complicated configuration is possible to establish a tunnel to 65157016Sdesa remote host which is not directly accessible by the client. 66157016SdesThe following example describes a client configuration to connect to 67157016Sdesthe remote host over two ssh hops in between. It uses the OpenSSH 68157016SdesProxyCommand in combination with the nc(1) program to forward the final 69157016Sdesssh tunnel destination over multiple ssh sessions. 70157016Sdes 71157016Sdes Host access.somewhere.net 72157016Sdes User puffy 73157016Sdes Host dmzgw 74157016Sdes User puffy 75157016Sdes ProxyCommand ssh access.somewhere.net nc dmzgw 22 76157016Sdes Host sshgateway 77157016Sdes Tunnel Ethernet 78157016Sdes TunnelDevice 0:any 79157016Sdes PermitLocalCommand yes 80157016Sdes LocalCommand sh /etc/netstart tun0 81157016Sdes ProxyCommand ssh dmzgw nc sshgateway 22 82157016Sdes 83157016SdesThe following network plan illustrates the previous configuration in 84157016Sdescombination with layer 2 tunneling and Ethernet bridging. 85157016Sdes 86157016Sdes+--------+ ( ) +----------------------+ 87157016Sdes| Client |------( Internet )-----| access.somewhere.net | 88157016Sdes+--------+ ( ) +----------------------+ 89157016Sdes : 192.168.1.78 | 90162852Sdes :............................. +-------+ 91157016Sdes Forwarded ssh connection : | dmzgw | 92157016Sdes Layer 2 tunnel : +-------+ 93157016Sdes : | 94157016Sdes : | 95162852Sdes : +------------+ 96157016Sdes :......| sshgateway | 97157016Sdes | +------------+ 98157016Sdes--- real connection Bridge -> | +----------+ 99157016Sdes... "virtual connection" [ X ]--------| somehost | 100157016Sdes[X] switch +----------+ 101157016Sdes 192.168.1.25 102157016Sdes 103157016Sdes(5) Client: Connect to the server and establish the tunnel 104157016Sdes 105157016SdesFinally connect to the OpenSSH server to establish the tunnel by using 106157016Sdesthe following command: 107162852Sdes 108157016Sdes ssh sshgateway 109157016Sdes 110157016SdesIt is also possible to tell the client to fork into the background after 111157016Sdesthe connection has been successfully established: 112157016Sdes 113157016Sdes ssh -f sshgateway true 114157016Sdes 115157016SdesWithout the ssh configuration done in step (4), it is also possible 116157016Sdesto use the following command lines: 117157016Sdes 118157016Sdes ssh -fw 0:1 sshgateway true 119157016Sdes ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252 120157016Sdes 121157016SdesUsing OpenSSH tunnel forwarding is a simple way to establish secure 122157016Sdesand ad hoc virtual private networks. Possible fields of application 123157016Sdescould be wireless networks or administrative VPN tunnels. 124157016Sdes 125157016SdesNevertheless, ssh tunneling requires some packet header overhead and 126157016Sdesruns on top of TCP. It is still suggested to use the IP Security 127157016SdesProtocol (IPSec) for robust and permanent VPN connections and to 128157016Sdesinterconnect corporate networks. 129157016Sdes 130157016Sdes Reyk Floeter 131157016Sdes 132162852Sdes$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $ 133